28 Sep 2022

Optus data leak: Online account claiming to be behind breach apologises, drops ransom threat

7:13 am on 28 September 2022
Hands on laptop writing code or using computer virus program for cyber attack

Some cyber security experts believe the account which has apologised for the breach is legitimate, but it has not been confirmed by Optus or the Australian Federal Police. Photo: 123rf

An online account that claims to be behind the Optus data breach says it has deleted its only copy of customers' information and it no longer cares about a ransom.

The account apologised to 10,200 Australians whose records it claimed to have leaked just hours earlier.

"Ransom not payed [sic] but we don't care any more," the user posted to website BreachForums just before noon on Tuesday.

"Was mistake to scrape publish data in first place."

Some cyber security experts believe the account is legitimate, but it has not been confirmed by Optus, or the Australian Federal Police (AFP).

Late last week, the same anonymous user posted a sample of data ostensibly from the breach, with an offer not to sell the data if Optus paid a $US1 million ransom.

In the account's latest post on Tuesday, they appeared to back down entirely, citing "too many eyes".

"We will not sale [sic] data to anyone," they posted.

"We can't if we even want to: personally deleted data from drive (Only copy)."

The user said they were sorry to the Australians who had had their data leaked.

"Australia will see no gain in fraud, this can be monitored," the post read.

The account also conveyed the author's "deepest apology" to Optus and wished the company well.

The account last week claimed the records included email addresses, dates of birth, first and last names, phone numbers, drivers licence and passport numbers.

Optus chief executive Kelly Bayer Rosmarin told ABC's AM on Tuesday that the company was doing "everything possible to be transparent, to be on the front foot".

Asked about a post last week by a user claiming to be selling the data, she said: "We have seen that there is a post like that on the dark web and the Australian Federal Police is all over that."

Bayer Rosmarin said the company was not "the villains" in the situation and that customers should be on high alert.

The AFP on Monday afternoon said it launched Operation Hurricane to identify the people behind the breach and protect Australians from identity fraud.

Assistant Commissioner Cyber Command Justine Gough said the investigation was going to be complex and lengthy.

"We are aware of reports of stolen data being sold on the dark web and that is why the AFP is monitoring the dark web using a range of specialist capabilities," she said.

"Criminals, who use pseudonyms and anonymising technology, can't see us but I can tell you that we can see them."

Asssistant Commissioner Gough said it was an offence to sell or buy stolen identification credentials, with penalties of up to 10 years' imprisonment.(ABC News: Tim Swanston/File)

The AFP is working closely with Optus, the Australian Signals Directorate and overseas law enforcement.

Home Affairs Minister Clare O'Neil said she was "incredibly concerned" to hear data from the Optus breach included Medicare numbers, and that customer information had been offered for free and ransom.

She said Medicare numbers were "never advised to form part of the compromised information".

"Consumers have a right to know exactly what individual personal information has been compromised in Optus's communications to them. Reports today make this a priority," Ms O'Neil said.

Optus said it had been advised by police not to give a number for how many customers have been affected, and that it had contacted all those whose information was compromised in the attack.

Optus customers dating back to 2017 could be at risk of identity theft.

On Monday, Ms O'Neil accused the company of leaving customers data vulnerable to a "basic hack", which Optus has denied.

State governments offer help to replace victims' licences

State governments on Tuesday addressed concerns over leaked drivers licence details, with some saying they would work to support those affected who wish to replace their licences.

Queensland Transport Minister Mark Bailey posted to Twitter that new licences with new numbers would be provided free of charge to Queenslanders impacted by the breach.

Victoria is providing similar support to drivers and anyone involved in the breach can contact VicRoads to have their licence record flagged.

"Any Victorian affected by the data breach can replace their licence by contacting VicRoads through www.vicroads.vic.gov.au/optusbreach," a Department of Transport spokesperson said. "We will request Optus repays the cost of the new licences to the Victorian government."

South Australian Premier Peter Malinauskas said the state would also be waiving the fee for those who needed to replace their licences.

New South Wales Customer Service and Digital Government Minister Victor Dominello said on Twitter that Optus would contact customers in the coming days to advise whether or not they needed to apply for a replacement drivers licence.

He said people in the state with a digital drivers licence would have an interim card number issued instantaneously via the Service NSW app while a new plastic licence card would be issued within 10 business days.

"The cost to replace your driver licence is $29 and will be charged by Service NSW at the time of application - reimbursement advice will be issued by Optus to customers in the coming days," he wrote.

The ACT government in a statement said it was engaging with Optus and the federal government to assess the scope of information that may be compromised, to what extent it had affected residents, and to inform any further steps to protect those affected.

"As part of this, the ACT government is working through the issue of replacement driver licence cards for Canberrans who have had both driver licence numbers and card numbers compromised," the statement said.

A fact page is being established on the Access Canberra website and the ACT government is expected to provide an update on Wednesday.

- ABC

Get the RNZ app

for ad-free news and current affairs